PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6483 Atutor CVE debrief

CVE-2017-6483 is a medium-severity cross-site scripting issue in ATutor affecting versions through 2.2.2. The flaw stems from insufficient filtering of user-supplied lang_code data in admin language preference pages, which can let an attacker execute HTML or script in a victim’s browser within the site’s origin.

Vendor
Atutor
Product
CVE-2017-6483
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-05
Original CVE updated
2026-05-13
Advisory published
2017-03-05
Advisory updated
2026-05-13

Who should care

ATutor administrators, security teams responsible for learning management systems, and any organization exposing ATutor’s affected admin pages to users who may interact with untrusted input should treat this as a web application security issue requiring prompt review.

Technical summary

NVD classifies this issue as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected product scope in NVD covers ATutor versions up to and including 2.2.2. The vulnerable data flow is described as user-controlled lang_code input reaching themes/*/admin/system_preferences/language_edit.tmpl.php without adequate output filtering, enabling script injection when a user interacts with the page.

Defensive priority

Medium. The issue is network reachable and does not require privileges, but it does require user interaction and the impact is limited to low confidentiality and integrity effects in the browser context.

Recommended defensive actions

  • Upgrade ATutor to a version that addresses CVE-2017-6483, if available from the vendor.
  • Review and harden any server-side or template-side output encoding for lang_code and related language preference fields.
  • Restrict access to the affected admin/system preferences pages to trusted administrative users only.
  • Validate that user-controlled values are encoded on output in the relevant ATutor templates, especially language_edit.tmpl.php paths.
  • Use browser-side and application-side defenses such as Content Security Policy where compatible, as a compensating control for XSS risk.
  • Check for similar input/output handling issues in other ATutor admin templates that process language or preference parameters.

Evidence notes

This debrief is based on the supplied NVD record and listed references. The NVD entry marks the CVE as modified on 2026-05-13 and published on 2017-03-05. NVD identifies CWE-79, the vulnerable version range through ATutor 2.2.2, and references a SecurityFocus BID and a GitHub ATutor issue marked as Exploit and Vendor Advisory.

Official resources

Publicly disclosed in the supplied NVD record on 2017-03-05; the record was later modified on 2026-05-13. The supplied enrichment does not mark this CVE as CISA KEV.